Effective from: 30.07.2021
Last amended: 30.03.2026
This legitimate interests assessment explains why and under what conditions Inforegister processes business-related personal data on the basis of legitimate interest.
The assessment primarily concerns situations where data concerning a natural person is connected with a company, sole proprietor, non-profit association, apartment association, foundation or other legal or economic activity.
The purpose of the document is to explain: what the legitimate interest of Inforegister and related services is; why the processing of business data is necessary; what data is processed; from which sources the data originates; how the rights and interests of the data subject are assessed; and what proportionality measures and safeguards are applied.
This document does not replace the privacy terms. The privacy terms describe in more detail the organisation of data processing, data categories, sources, categories of recipients, retention and the procedure for exercising data-subject rights.
This assessment is based primarily on Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation.
Article 5 of the GDPR sets out the principles relating to processing of personal data, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
Under Article 6(1)(f) of the GDPR, processing of personal data is lawful where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Accordingly, when processing is carried out on the basis of legitimate interest, Inforegister assesses three key questions: whether Inforegister, related services or third parties have a legitimate interest in the processing; whether processing of personal data is necessary for pursuing that legitimate interest; and whether the legitimate interests of Inforegister, users of related services and third parties override the interests, rights and freedoms of the data subject.
Inforegister also takes into account the rights of data subjects arising, among others, from Articles 12, 15, 16, 17, 18, 19 and 21 of the GDPR. These provisions concern transparent information, access to data, rectification of data, erasure, restriction of processing, notification of recipients and the right to object.
For the purposes of this assessment, the term Inforegister is used in a broad sense. It includes the Inforegister database and related services that may be provided or used by service providers belonging to the same group of companies or by otherwise related service providers, including Inforegister, Storybook, 1Contact, Kreedix and other related services.
These services may use the same or partly overlapping business data originating from public and lawful sources. However, the purpose of use, manner of display, scope visible to the user and legal basis for processing may differ from service to service.
Where a specific service acts as a separate controller or processor, responsibility is determined according to the terms of the service, contracts and the actual purpose of the data processing.
Inforegister processes business-related data that may include data concerning natural persons where those persons are connected with a business, management, ownership, representation or other commercial role.
Such data may include, for example: first name and surname; personal identification code or date of birth to the necessary or limited extent; role in a company or other entity; start and end date of the role; status as a management board member, supervisory board member, procurator, liquidator, bankruptcy trustee, shareholder, identified beneficial owner or other related person; business and professional prohibitions; related companies and historical relationships; representation rights; ownership relationships; business-related contact details; notices, register entries, reporting or background information from public sources; and aggregate views, relationships, scores, ratings, risk indicators and analytical indicators created on the basis of business data.
Inforegister does not collect persons’ private-life data for the purpose of describing their private life. The focus of processing is business data and roles connected with business activity.
Where documents, notices, court decisions, media coverage, websites or other sources originating from public sources and connected with a company contain data relating to natural persons, such data is treated primarily as information appearing through the company and not as a description of the data subject’s non-business life.
Inforegister uses public, lawful and reliable sources when processing business data.
Such sources may include, for example: the Commercial Register; public data of the Tax and Customs Board; Official Announcements; public data on court decisions and court proceedings; public state registers; company websites; contact details published by companies themselves; company social-media channels and other public digital channels; public procurement, grants, activity licences or other public datasets; the Unemployment Insurance Fund and other public sources of job-offer or activity data; data submitted by a company, user or contractual partner; and other lawful and publicly available sources.
Inforegister does not make queries for the purpose of investigating a data subject’s private life or publishing non-business personal data concerning the data subject. Data appears primarily through a company, business role, public register or business-related source.
Where data originates from a public register, rectification of the data may first require changing the data in the relevant primary source.
The purpose of data processing by Inforegister and related services is to support a transparent, reliable and functioning business environment.
Data is processed, among other things, for the following purposes: displaying company background information; understanding company management, representation rights and ownership relationships; identifying identified beneficial owners and related persons; assessing business risks and credit risk; assessing payment behaviour, financial standing and reliability; background checks of contractual partners; preventing fraud, shell companies, nominees, straw persons and misuse; supporting business-to-business communication and business networks; enabling company visibility and a digital profile; supporting claims, debt management and credit management; ensuring data quality, currency and comparability; and making information from public sources understandable and practically usable.
Processing of business data supports general civil and commercial transactions and legal certainty. Persons who enter into transactions, employment relationships, credit relationships or other business relationships with a company have a legitimate interest in verifying the company’s representation rights, background, payment behaviour and reliability.
Availability of business data helps prevent situations where a business decision is made on the basis of incomplete or misleading information. Damage suffered by one undertaking may spread to its clients, employees, suppliers, creditors and other business partners. Therefore, transparency of business data has a broader impact on the reliability of the entire economic environment.
Inforegister has a legitimate interest in processing business-related data in order to provide business information, credit information, business analytics, background-check, relationship-analysis and related services.
Inforegister’s legitimate interest is not limited to carrying out economic activity, but also includes providing a service that helps users make informed business decisions involving a reasonable level of risk.
The legitimate interest of third parties includes, among other things, the ability to check a company’s representation rights; assess a company’s background and reliability; assess a company’s credit risk and payment behaviour; check company management, ownership and relationships involving identified beneficial owners; avoid transactions with unreliable or high-risk companies; prevent financial damage, legal costs and reputational harm; assess the background of an employer, contractual partner, supplier, customer or debtor; and fulfil their duty of care when making informed decisions involving reasonable risk.
Entrepreneurs, creditors, job seekers, investors, consumers and other market participants may have a legitimate interest in assessing with whom they enter into a transaction, employment relationship, credit relationship or other legal relationship.
Information portals and business-information services have an important societal role because they help ensure transparency of legal and commercial transactions, legal certainty, the reliability of the business environment and informed mitigation of business risks.
Inforegister’s legitimate interest cannot be achieved merely by technically reproducing the Commercial Register card.
The Commercial Register is an important primary source, but in order to understand a company’s actual background, reliability, credit risk and business relationships, it is necessary to aggregate, clean, link, compare, analyse and present different data in a form understandable to users.
Without such data processing, it would not be possible to provide credit-information, business-information, background-check, risk-assessment, relationship-analysis, company-comparison, sales-information or business-network services.
Processing is also necessary because companies operate through natural persons. Management, representation rights, ownership, beneficial-owner status and historical roles cannot be understood without the natural persons connected with the company.
For assessing a company’s reliability, it is not enough to look only at current roles or the current register-card status. Earlier relationships may have significant meaning because the end of a relationship between a natural person and a legal person does not erase the earlier business activity, reporting behaviour, debts, bankruptcies, compulsory deletions, transfers of companies or other circumstances relevant to assessing business risk.
Therefore, invalid and historical relationships may also be necessary so that users can assess the company’s background, the behavioural patterns of related persons and potential business risks in a complete manner.
Inforegister takes into account both its own and service users’ legitimate interests and the rights and interests of the data subject.
In balancing interests, Inforegister considers, among other things: the source of the data; the connection of the data with business activity or public legal transactions; the public nature of the data in the primary source; the necessity of the data for understanding the company background or risk; the data subject’s role in the company; the possible impact of the data on the data subject; the accuracy and currency of the data; whether display of the data is necessary or excessive; and whether visibility restrictions or other mitigating measures can be applied.
As a rule, the processing of business-related data is justified where the data originates from public or lawful sources, is connected with the person’s commercial or legal role and is necessary for assessing the company’s background, management, ownership, reliability or business risk.
In balancing interests, Inforegister takes into account that a person active in business must reasonably expect that their business-related roles and relationships may be publicly visible and may be processed for business-information, credit-information and background-check purposes. For example, being a management board member, shareholder, identified beneficial owner, sole proprietor or other person connected with business activity is linked to public legal and commercial transactions and the business environment.
In this context, the data subject is generally not a child or another particularly vulnerable person, but an adult with legal capacity participating in business activity or legal transactions. This does not exclude protection of the data subject’s rights, but it affects the balancing of interests.
Inforegister also takes into account that for many data subjects, the display of business data may have a positive effect if it helps show that the companies connected with the person are reliable, financially sound and meet their obligations.
A company as a legal person operates through natural persons. Company management, representation, ownership, identified beneficial-owner status, earlier roles and business relationships are expressed through specific people.
Data concerning natural persons connected with a company is therefore necessary in order to understand who manages the company, who can represent it, who benefits from it, what the company’s history is and which persons may affect the company’s activities, reliability and business risks.
In business, the formal counterparty is often a legal person, but decisions are made by natural persons. Through natural persons, new companies are created, companies are managed, assets are transferred, reporting obligations are left unfulfilled, companies are transferred, contracts are entered into and other business decisions are made. Therefore, the business-related behavioural pattern of a natural person may be highly relevant when assessing the risk and reliability of a company.
If the natural persons connected with a company were removed from the company profile, the profile could become incomplete, misleading and defective from a data-quality perspective. It could also contradict public registers and other business-information sources where the same relationship remains visible.
The Commercial Register is the official registrar whose function is to record data entered in the register concerning legal persons. Commercial Register data is an important primary source for Inforegister, but the Commercial Register card does not always provide a complete and practically usable overview of a company’s financial position, payment behaviour, credit risk, business relationships, management history, related persons or reliability.
Inforegister does not replace the Commercial Register and is not limited to the technical repetition of register data. Inforegister processes data originating from public and lawful sources in order to make business information understandable, comparable and practically usable for the user.
For this purpose, Inforegister may prepare aggregate views, credit assessments, credit scores, risk indicators, relationship maps, historical overviews, payment-behaviour assessments, comparisons by field of activity and other analytical indicators.
The purpose of such analytical processing is not to disclose information concerning a person’s private life, but to help users assess a company’s background, credit risk, solvency, reliability, management, ownership relationships and business connections.
Inforegister may prepare credit scores, risk assessments, ratings, forecasts, comparisons and other analytical indicators on the basis of data originating from public and lawful sources.
Such indicators are not intended to describe the private life of the data subject, but to assess a company’s financial standing, solvency, business risk, payment behaviour, reliability and activity pattern.
Analytical indicators may be based on multiple data points, including the company’s financial data, tax behaviour, reporting discipline, history of management and relationships, previous business risks, debts, payment defaults, field of activity, age, size and other business-related characteristics.
The purpose of credit scores and risk assessments is to provide the user with an aggregated assessment that helps the user make more informed business, credit or contractual decisions.
Inforegister does not create a credit score or risk assessment concerning the data subject’s private life. Scores and ratings are primarily prepared in respect of companies and their purpose is to describe the company’s solvency, payment behaviour, financial position and business risk.
If a company score or risk indicator is displayed in a view connected with a person, it must be understood as an assessment of the related company and not as a separate assessment of the person’s private life, personal characteristics or private reliability.
Inforegister may display relationships between companies and persons connected with them as aggregate views, relationship maps, graphs or visualisations.
The purpose of such views is to make business data originating from public and lawful sources understandable for users and to help assess company ownership, management, related persons, identified beneficial owners, historical roles and business risks.
Visualising relationships does not in itself create a new private-life fact, but presents business-related data to the user in an understandable form.
Relationship maps and aggregate views are necessary because business risks do not always appear on the register card of a single company. Risk may become apparent through related companies, related persons, historical roles, ownership relationships or recurring behavioural patterns.
Inforegister and related services may make business data available in web environments, reports, API interfaces, data products, analytical services or contractual service views.
An API is a technical method of data transmission, not a separate data category. Transmission of data through an API does not change the nature of business data and does not in itself mean that the processing is different from displaying data in a web environment, report or other business-information service.
APIs and data products enable users to use business data for assessing business risks, background checks, credit decisions, customer management, compliance checks or other legitimate purposes.
Categories of recipients, principles of data transfer and explanations concerning third parties are described in more detail in the privacy terms.
Inforegister applies proportionate measures to protect data-subject rights.
Such measures may include, for example: restricting the public visibility of a separate personal profile; not displaying the full personal identification code in the public view for users who are not logged in; differentiating data access by user level; where necessary, submitting removal or re-crawling requests to search engines; rectifying incorrect or outdated data; assessing the scope of data display; processing repetitive or excessive requests proportionately; and restricting data processing in cases where there is a legal and factual basis for doing so.
Inforegister may restrict data access by user levels. This means that all data may not be publicly visible to every user who is not logged in. Some data may be visible only to registered users, contractual clients or other users who have separate access to the service.
Such differentiation of access levels helps reduce access to data out of mere curiosity and supports the principle that more detailed business information is available primarily to users who have a practical business or legitimate need for it.
These measures help reduce excessive public identifiability of a person while preserving the integrity, accuracy and usability of business data.
The data subject has the right to object to processing carried out on the basis of legitimate interest.
Article 21 of the GDPR gives the data subject the right to object on grounds relating to their particular situation. However, submitting an objection does not automatically mean that processing must in all cases cease. Inforegister may continue processing where there are compelling legitimate grounds that override the interests, rights and freedoms of the data subject.
When assessing an objection, Inforegister takes into account the data subject’s specific situation, the purpose of processing, the source of the data, the public nature of the data, the legitimate interests of third parties and the societal role of business data.
A general statement that publication of business data may theoretically enable spam, unwanted contacts, mass collection, identity theft or other misuse does not automatically mean that processing is disproportionate in respect of the specific data subject.
If the data subject claims that Inforegister’s processing specifically causes them a particular, real and person-specific risk, the data subject must describe that situation and, where possible, provide concrete circumstances or evidence. Inforegister assesses such circumstances case by case.
If the data subject does not provide concrete circumstances or evidence and limits the objection to a general or hypothetical risk, Inforegister may assess the objection on the basis of the available information and conclude that a general objection does not override the legitimate interest of Inforegister, service users and third parties in processing business data.
Complete deletion of business-related data is not always proportionate or possible where the data originates from public or lawful sources and there is an ongoing legal basis for processing it.
If business-related data concerning a person were deleted only from the Inforegister database while the same data remained visible in the Commercial Register, public registers, other business-information portals or sources published by the company itself, deletion might not achieve the purpose sought by the data subject.
At the same time, such deletion could make the Inforegister company profile incomplete, inaccurate, inconsistent with public sources or defective from a data-quality perspective.
Inforegister therefore assesses deletion requests by data category, processing purpose, legal basis and specific circumstances.
Where a data subject’s request can be resolved by a less intrusive measure, such as restricting the public visibility of a separate personal profile, rectifying incorrect data or restricting a specific data field, such a measure may be more proportionate than deletion of all business-related data.
Inforegister retains business-related personal data for as long as necessary for the purposes described in this assessment, including for the integrity of business data, the reliability of legal and commercial transactions, credit-risk assessment, understanding historical relationships and protection of legal claims.
Historical relationships may be important for assessing business risks even after a current role has ended. The end of a relationship does not erase the preceding business activity or the risks connected with it.
For example, a user may have a justified interest in knowing whether a person connected with a company has previously managed companies that failed to submit reports, incurred debts, ended in bankruptcy, were deleted from the register or transferred to nominees.
When determining the retention period, Inforegister considers the source of the data, the public nature of the data in primary sources, the meaning of the business data for risk assessment, limitation periods for claims, the rights of the data subject and the necessity of the data for the purposes of the service.
When assessing retention, Inforegister also takes into account that in many primary sources, including the Commercial Register, historical information connected with business activity may be available for a long period or indefinitely. Inforegister’s purpose is not to retain data longer than necessary, but the value and necessity of business data do not always end immediately when a specific role ends.
If a person is no longer active in business or their relationships with companies have ended, Inforegister may assess whether and to what extent further display or processing of the data is necessary and proportionate.
The data subject has the right to submit a request for access to personal data, rectification of data, erasure, restriction of processing or objection to processing.
Inforegister handles data-subject requests in accordance with the GDPR and applicable data-protection principles.
If a request concerns the general description of data processing, data categories, sources, purposes, legal bases, categories of recipients or retention principles, Inforegister may respond by referring to the privacy terms, this legitimate interests assessment or the procedure for restricting the visibility of a personal profile.
If the data subject considers that a specific data category, data field or analytical indicator is incorrect, outdated or disproportionate, the data subject must provide a specific and detailed reference to the data that requires rectification, restriction or assessment.
A general statement such as “the data is incorrect”, “delete all data” or “I allow only Commercial Register data to be displayed” may not be sufficient for substantive handling of the request if it does not identify the specific data category, error, basis or particular situation of the person.
Inforegister’s legitimate interest lies in processing business data in order to support a transparent, reliable and functioning business environment.
Processing is necessary because understanding business data requires aggregation, cleaning, linking, comparison, analysis and presentation of data in a form understandable to users.
Companies operate through natural persons, and understanding company management, representation rights, ownership, identified beneficial owners and historical relationships is not possible without data concerning the natural persons connected with the company.
Data-subject rights are protected through proportionate measures, including restriction of public visibility, partial display of the personal identification code, rectification of incorrect data, differentiation of user access levels and case-by-case assessment of specific objections.
As a rule, the data subject’s general wish to reduce the public visibility of business data does not override the legitimate interest of Inforegister, service users and third parties in receiving reliable, up-to-date and analytical business information.
Effective from: 30.07.2021
Last amended: 30.03.2026
This legitimate interests assessment explains why and under what conditions Inforegister processes business-related personal data on the basis of legitimate interest.
The assessment primarily concerns situations where data concerning a natural person is connected with a company, sole proprietor, non-profit association, apartment association, foundation or other legal or economic activity.
The purpose of the document is to explain: what the legitimate interest of Inforegister and related services is; why the processing of business data is necessary; what data is processed; from which sources the data originates; how the rights and interests of the data subject are assessed; and what proportionality measures and safeguards are applied.
This document does not replace the privacy terms. The privacy terms describe in more detail the organisation of data processing, data categories, sources, categories of recipients, retention and the procedure for exercising data-subject rights.
This assessment is based primarily on Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation.
Article 5 of the GDPR sets out the principles relating to processing of personal data, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
Under Article 6(1)(f) of the GDPR, processing of personal data is lawful where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Accordingly, when processing is carried out on the basis of legitimate interest, Inforegister assesses three key questions: whether Inforegister, related services or third parties have a legitimate interest in the processing; whether processing of personal data is necessary for pursuing that legitimate interest; and whether the legitimate interests of Inforegister, users of related services and third parties override the interests, rights and freedoms of the data subject.
Inforegister also takes into account the rights of data subjects arising, among others, from Articles 12, 15, 16, 17, 18, 19 and 21 of the GDPR. These provisions concern transparent information, access to data, rectification of data, erasure, restriction of processing, notification of recipients and the right to object.
For the purposes of this assessment, the term Inforegister is used in a broad sense. It includes the Inforegister database and related services that may be provided or used by service providers belonging to the same group of companies or by otherwise related service providers, including Inforegister, Storybook, 1Contact, Kreedix and other related services.
These services may use the same or partly overlapping business data originating from public and lawful sources. However, the purpose of use, manner of display, scope visible to the user and legal basis for processing may differ from service to service.
Where a specific service acts as a separate controller or processor, responsibility is determined according to the terms of the service, contracts and the actual purpose of the data processing.
Inforegister processes business-related data that may include data concerning natural persons where those persons are connected with a business, management, ownership, representation or other commercial role.
Such data may include, for example: first name and surname; personal identification code or date of birth to the necessary or limited extent; role in a company or other entity; start and end date of the role; status as a management board member, supervisory board member, procurator, liquidator, bankruptcy trustee, shareholder, identified beneficial owner or other related person; business and professional prohibitions; related companies and historical relationships; representation rights; ownership relationships; business-related contact details; notices, register entries, reporting or background information from public sources; and aggregate views, relationships, scores, ratings, risk indicators and analytical indicators created on the basis of business data.
Inforegister does not collect persons’ private-life data for the purpose of describing their private life. The focus of processing is business data and roles connected with business activity.
Where documents, notices, court decisions, media coverage, websites or other sources originating from public sources and connected with a company contain data relating to natural persons, such data is treated primarily as information appearing through the company and not as a description of the data subject’s non-business life.
Inforegister uses public, lawful and reliable sources when processing business data.
Such sources may include, for example: the Commercial Register; public data of the Tax and Customs Board; Official Announcements; public data on court decisions and court proceedings; public state registers; company websites; contact details published by companies themselves; company social-media channels and other public digital channels; public procurement, grants, activity licences or other public datasets; the Unemployment Insurance Fund and other public sources of job-offer or activity data; data submitted by a company, user or contractual partner; and other lawful and publicly available sources.
Inforegister does not make queries for the purpose of investigating a data subject’s private life or publishing non-business personal data concerning the data subject. Data appears primarily through a company, business role, public register or business-related source.
Where data originates from a public register, rectification of the data may first require changing the data in the relevant primary source.
The purpose of data processing by Inforegister and related services is to support a transparent, reliable and functioning business environment.
Data is processed, among other things, for the following purposes: displaying company background information; understanding company management, representation rights and ownership relationships; identifying identified beneficial owners and related persons; assessing business risks and credit risk; assessing payment behaviour, financial standing and reliability; background checks of contractual partners; preventing fraud, shell companies, nominees, straw persons and misuse; supporting business-to-business communication and business networks; enabling company visibility and a digital profile; supporting claims, debt management and credit management; ensuring data quality, currency and comparability; and making information from public sources understandable and practically usable.
Processing of business data supports general civil and commercial transactions and legal certainty. Persons who enter into transactions, employment relationships, credit relationships or other business relationships with a company have a legitimate interest in verifying the company’s representation rights, background, payment behaviour and reliability.
Availability of business data helps prevent situations where a business decision is made on the basis of incomplete or misleading information. Damage suffered by one undertaking may spread to its clients, employees, suppliers, creditors and other business partners. Therefore, transparency of business data has a broader impact on the reliability of the entire economic environment.
Inforegister has a legitimate interest in processing business-related data in order to provide business information, credit information, business analytics, background-check, relationship-analysis and related services.
Inforegister’s legitimate interest is not limited to carrying out economic activity, but also includes providing a service that helps users make informed business decisions involving a reasonable level of risk.
The legitimate interest of third parties includes, among other things, the ability to check a company’s representation rights; assess a company’s background and reliability; assess a company’s credit risk and payment behaviour; check company management, ownership and relationships involving identified beneficial owners; avoid transactions with unreliable or high-risk companies; prevent financial damage, legal costs and reputational harm; assess the background of an employer, contractual partner, supplier, customer or debtor; and fulfil their duty of care when making informed decisions involving reasonable risk.
Entrepreneurs, creditors, job seekers, investors, consumers and other market participants may have a legitimate interest in assessing with whom they enter into a transaction, employment relationship, credit relationship or other legal relationship.
Information portals and business-information services have an important societal role because they help ensure transparency of legal and commercial transactions, legal certainty, the reliability of the business environment and informed mitigation of business risks.
Inforegister’s legitimate interest cannot be achieved merely by technically reproducing the Commercial Register card.
The Commercial Register is an important primary source, but in order to understand a company’s actual background, reliability, credit risk and business relationships, it is necessary to aggregate, clean, link, compare, analyse and present different data in a form understandable to users.
Without such data processing, it would not be possible to provide credit-information, business-information, background-check, risk-assessment, relationship-analysis, company-comparison, sales-information or business-network services.
Processing is also necessary because companies operate through natural persons. Management, representation rights, ownership, beneficial-owner status and historical roles cannot be understood without the natural persons connected with the company.
For assessing a company’s reliability, it is not enough to look only at current roles or the current register-card status. Earlier relationships may have significant meaning because the end of a relationship between a natural person and a legal person does not erase the earlier business activity, reporting behaviour, debts, bankruptcies, compulsory deletions, transfers of companies or other circumstances relevant to assessing business risk.
Therefore, invalid and historical relationships may also be necessary so that users can assess the company’s background, the behavioural patterns of related persons and potential business risks in a complete manner.
Inforegister takes into account both its own and service users’ legitimate interests and the rights and interests of the data subject.
In balancing interests, Inforegister considers, among other things: the source of the data; the connection of the data with business activity or public legal transactions; the public nature of the data in the primary source; the necessity of the data for understanding the company background or risk; the data subject’s role in the company; the possible impact of the data on the data subject; the accuracy and currency of the data; whether display of the data is necessary or excessive; and whether visibility restrictions or other mitigating measures can be applied.
As a rule, the processing of business-related data is justified where the data originates from public or lawful sources, is connected with the person’s commercial or legal role and is necessary for assessing the company’s background, management, ownership, reliability or business risk.
In balancing interests, Inforegister takes into account that a person active in business must reasonably expect that their business-related roles and relationships may be publicly visible and may be processed for business-information, credit-information and background-check purposes. For example, being a management board member, shareholder, identified beneficial owner, sole proprietor or other person connected with business activity is linked to public legal and commercial transactions and the business environment.
In this context, the data subject is generally not a child or another particularly vulnerable person, but an adult with legal capacity participating in business activity or legal transactions. This does not exclude protection of the data subject’s rights, but it affects the balancing of interests.
Inforegister also takes into account that for many data subjects, the display of business data may have a positive effect if it helps show that the companies connected with the person are reliable, financially sound and meet their obligations.
A company as a legal person operates through natural persons. Company management, representation, ownership, identified beneficial-owner status, earlier roles and business relationships are expressed through specific people.
Data concerning natural persons connected with a company is therefore necessary in order to understand who manages the company, who can represent it, who benefits from it, what the company’s history is and which persons may affect the company’s activities, reliability and business risks.
In business, the formal counterparty is often a legal person, but decisions are made by natural persons. Through natural persons, new companies are created, companies are managed, assets are transferred, reporting obligations are left unfulfilled, companies are transferred, contracts are entered into and other business decisions are made. Therefore, the business-related behavioural pattern of a natural person may be highly relevant when assessing the risk and reliability of a company.
If the natural persons connected with a company were removed from the company profile, the profile could become incomplete, misleading and defective from a data-quality perspective. It could also contradict public registers and other business-information sources where the same relationship remains visible.
The Commercial Register is the official registrar whose function is to record data entered in the register concerning legal persons. Commercial Register data is an important primary source for Inforegister, but the Commercial Register card does not always provide a complete and practically usable overview of a company’s financial position, payment behaviour, credit risk, business relationships, management history, related persons or reliability.
Inforegister does not replace the Commercial Register and is not limited to the technical repetition of register data. Inforegister processes data originating from public and lawful sources in order to make business information understandable, comparable and practically usable for the user.
For this purpose, Inforegister may prepare aggregate views, credit assessments, credit scores, risk indicators, relationship maps, historical overviews, payment-behaviour assessments, comparisons by field of activity and other analytical indicators.
The purpose of such analytical processing is not to disclose information concerning a person’s private life, but to help users assess a company’s background, credit risk, solvency, reliability, management, ownership relationships and business connections.
Inforegister may prepare credit scores, risk assessments, ratings, forecasts, comparisons and other analytical indicators on the basis of data originating from public and lawful sources.
Such indicators are not intended to describe the private life of the data subject, but to assess a company’s financial standing, solvency, business risk, payment behaviour, reliability and activity pattern.
Analytical indicators may be based on multiple data points, including the company’s financial data, tax behaviour, reporting discipline, history of management and relationships, previous business risks, debts, payment defaults, field of activity, age, size and other business-related characteristics.
The purpose of credit scores and risk assessments is to provide the user with an aggregated assessment that helps the user make more informed business, credit or contractual decisions.
Inforegister does not create a credit score or risk assessment concerning the data subject’s private life. Scores and ratings are primarily prepared in respect of companies and their purpose is to describe the company’s solvency, payment behaviour, financial position and business risk.
If a company score or risk indicator is displayed in a view connected with a person, it must be understood as an assessment of the related company and not as a separate assessment of the person’s private life, personal characteristics or private reliability.
Inforegister may display relationships between companies and persons connected with them as aggregate views, relationship maps, graphs or visualisations.
The purpose of such views is to make business data originating from public and lawful sources understandable for users and to help assess company ownership, management, related persons, identified beneficial owners, historical roles and business risks.
Visualising relationships does not in itself create a new private-life fact, but presents business-related data to the user in an understandable form.
Relationship maps and aggregate views are necessary because business risks do not always appear on the register card of a single company. Risk may become apparent through related companies, related persons, historical roles, ownership relationships or recurring behavioural patterns.
Inforegister and related services may make business data available in web environments, reports, API interfaces, data products, analytical services or contractual service views.
An API is a technical method of data transmission, not a separate data category. Transmission of data through an API does not change the nature of business data and does not in itself mean that the processing is different from displaying data in a web environment, report or other business-information service.
APIs and data products enable users to use business data for assessing business risks, background checks, credit decisions, customer management, compliance checks or other legitimate purposes.
Categories of recipients, principles of data transfer and explanations concerning third parties are described in more detail in the privacy terms.
Inforegister applies proportionate measures to protect data-subject rights.
Such measures may include, for example: restricting the public visibility of a separate personal profile; not displaying the full personal identification code in the public view for users who are not logged in; differentiating data access by user level; where necessary, submitting removal or re-crawling requests to search engines; rectifying incorrect or outdated data; assessing the scope of data display; processing repetitive or excessive requests proportionately; and restricting data processing in cases where there is a legal and factual basis for doing so.
Inforegister may restrict data access by user levels. This means that all data may not be publicly visible to every user who is not logged in. Some data may be visible only to registered users, contractual clients or other users who have separate access to the service.
Such differentiation of access levels helps reduce access to data out of mere curiosity and supports the principle that more detailed business information is available primarily to users who have a practical business or legitimate need for it.
These measures help reduce excessive public identifiability of a person while preserving the integrity, accuracy and usability of business data.
The data subject has the right to object to processing carried out on the basis of legitimate interest.
Article 21 of the GDPR gives the data subject the right to object on grounds relating to their particular situation. However, submitting an objection does not automatically mean that processing must in all cases cease. Inforegister may continue processing where there are compelling legitimate grounds that override the interests, rights and freedoms of the data subject.
When assessing an objection, Inforegister takes into account the data subject’s specific situation, the purpose of processing, the source of the data, the public nature of the data, the legitimate interests of third parties and the societal role of business data.
A general statement that publication of business data may theoretically enable spam, unwanted contacts, mass collection, identity theft or other misuse does not automatically mean that processing is disproportionate in respect of the specific data subject.
If the data subject claims that Inforegister’s processing specifically causes them a particular, real and person-specific risk, the data subject must describe that situation and, where possible, provide concrete circumstances or evidence. Inforegister assesses such circumstances case by case.
If the data subject does not provide concrete circumstances or evidence and limits the objection to a general or hypothetical risk, Inforegister may assess the objection on the basis of the available information and conclude that a general objection does not override the legitimate interest of Inforegister, service users and third parties in processing business data.
Complete deletion of business-related data is not always proportionate or possible where the data originates from public or lawful sources and there is an ongoing legal basis for processing it.
If business-related data concerning a person were deleted only from the Inforegister database while the same data remained visible in the Commercial Register, public registers, other business-information portals or sources published by the company itself, deletion might not achieve the purpose sought by the data subject.
At the same time, such deletion could make the Inforegister company profile incomplete, inaccurate, inconsistent with public sources or defective from a data-quality perspective.
Inforegister therefore assesses deletion requests by data category, processing purpose, legal basis and specific circumstances.
Where a data subject’s request can be resolved by a less intrusive measure, such as restricting the public visibility of a separate personal profile, rectifying incorrect data or restricting a specific data field, such a measure may be more proportionate than deletion of all business-related data.
Inforegister retains business-related personal data for as long as necessary for the purposes described in this assessment, including for the integrity of business data, the reliability of legal and commercial transactions, credit-risk assessment, understanding historical relationships and protection of legal claims.
Historical relationships may be important for assessing business risks even after a current role has ended. The end of a relationship does not erase the preceding business activity or the risks connected with it.
For example, a user may have a justified interest in knowing whether a person connected with a company has previously managed companies that failed to submit reports, incurred debts, ended in bankruptcy, were deleted from the register or transferred to nominees.
When determining the retention period, Inforegister considers the source of the data, the public nature of the data in primary sources, the meaning of the business data for risk assessment, limitation periods for claims, the rights of the data subject and the necessity of the data for the purposes of the service.
When assessing retention, Inforegister also takes into account that in many primary sources, including the Commercial Register, historical information connected with business activity may be available for a long period or indefinitely. Inforegister’s purpose is not to retain data longer than necessary, but the value and necessity of business data do not always end immediately when a specific role ends.
If a person is no longer active in business or their relationships with companies have ended, Inforegister may assess whether and to what extent further display or processing of the data is necessary and proportionate.
The data subject has the right to submit a request for access to personal data, rectification of data, erasure, restriction of processing or objection to processing.
Inforegister handles data-subject requests in accordance with the GDPR and applicable data-protection principles.
If a request concerns the general description of data processing, data categories, sources, purposes, legal bases, categories of recipients or retention principles, Inforegister may respond by referring to the privacy terms, this legitimate interests assessment or the procedure for restricting the visibility of a personal profile.
If the data subject considers that a specific data category, data field or analytical indicator is incorrect, outdated or disproportionate, the data subject must provide a specific and detailed reference to the data that requires rectification, restriction or assessment.
A general statement such as “the data is incorrect”, “delete all data” or “I allow only Commercial Register data to be displayed” may not be sufficient for substantive handling of the request if it does not identify the specific data category, error, basis or particular situation of the person.
Inforegister’s legitimate interest lies in processing business data in order to support a transparent, reliable and functioning business environment.
Processing is necessary because understanding business data requires aggregation, cleaning, linking, comparison, analysis and presentation of data in a form understandable to users.
Companies operate through natural persons, and understanding company management, representation rights, ownership, identified beneficial owners and historical relationships is not possible without data concerning the natural persons connected with the company.
Data-subject rights are protected through proportionate measures, including restriction of public visibility, partial display of the personal identification code, rectification of incorrect data, differentiation of user access levels and case-by-case assessment of specific objections.
As a rule, the data subject’s general wish to reduce the public visibility of business data does not override the legitimate interest of Inforegister, service users and third parties in receiving reliable, up-to-date and analytical business information.
The Storybook extension tells you which company's website you are currently on and how reliable that company is today. Download extension